I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Please check the box if you want to proceed.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

Center (SDSC) has done.

But that doesn't mean they're about to rip the firewalls from their own environments.

Can a network be adequately protected without a firewall? Probably. But then, you could walk from New York to L.A. instead of flying, but why would you? Jeffrey Wilson,

Their comments come in response to a SearchSecurity.com story Monday about how the SDSC has suffered only one security breach in a period of almost six years, even though the organization doesn't use firewalls.

At the 2006 USENIX Annual Technical Conference in Boston, Abe Singer, computer security manager for the SDSC's Security Technologies Group, explained that his organization has managed to minimize intrusions through host-based security measures that include a centralized configuration management system; regular and frequent patching; and strong authentication that includes a strict ban on plaintext passwords.

Singer said there's a "horrible truth" about firewalls: they have performance problems, are vulnerable to cascade failures and changing one rule on the network can open up a security hole someplace else. He also said firewalls can't protect organizations from malicious users that may be operating inside the perimeter and that many enterprises put too much faith in their firewalls at the expense of other needed defenses.

Readers generally agreed, including Scott Evans, a technical support professional for an Atlanta-based communication technology company who is also working toward a Bachelor's degree in information security. He said he once worked for a company that used a firewall appliance for VPN connections, authentication and routing. The appliance failed one day, and nobody on either side of the perimeter could access any corporate resources.

"This is an example of the company relying solely on the firewall for protection," he said in an email exchange. In his opinion, companies must also rely on a strong security policy that identifies protection requirements for the most important assets; centralizes management of hosts and authentication methods; and emphasizes end-user education.

Still, most readers said it's still better to have a firewall as part of a layered security program. Nearly 80% of those polled by SearchSecurity.com said a firewall isn't a cure-all, but it's a key part of a multi-layered security program. Only 4% said everyone should use a firewall no matter what, and 16% said top-notch security is possible without one.

"I do think that many people become complacent having a firewall in place," Jeffrey Wilson, operations manager for the Albany, N.Y.-based Times Union newspaper, said in an email exchange. "They think that the firewall is the network security panacea, which of course it is not. It is only one tool of many that should be in place in any well-configured, Internet-facing network."

Wilson said he's a firm believer in the defense-in-depth philosophy, which includes firewalls, intrusion defense systems (IDS), patching, VLAN configuration, proxy servers, antivirus, strong policies and tools to enforce those policies. "Can a network be adequately protected without a firewall?" he asked. "Probably. But then, you could walk from New York to L.A. instead of flying, but why would you?"

Boston-based IT professional Jim Weiler said the no-firewall approach is probably most achievable in smaller environments with fewer than 100 machines, few configurations and few Internet access points. But, he said in an email exchange, firewalls are a "worthwhile addition to" a layered defense in larger environments, especially ecommerce sites. In fact, some companies must have a firewall for the sake of compliance.

"It's a PCI [Payment Card Industry data security standard] requirement, and would be considered due care and common practice, so from a liability reduction viewpoint it is also necessary," said Weiler, who also manages the Boston chapter of the Open Web Application Security Project (OWASP).

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy